06-29-2007 05:41 AM
this was a simple config to provide a "sorry" link when the server was down -
content elibrary
protocol tcp
port 80
url "/*"
add service corey
vip address X.X .132.180
active
service corey
protocol tcp
port 80
ip address X.X .126.180
active
service sorry-library
ip address X.X .132.239
keepalive type none
type redirect
redirect-string " aaa.bbb.ccc.uk/online/library/sorry/"
active
... until the server needed to be able to initiate outgoing connections to 300 data providers on the internet using TCP:210, 2100, 2121, 3210, AND with the VIP ( X.X .132.180) as source address.
Q1.....If I add
group coreyNAT
add service corey
vip address X.X .132.180
active
is that all I need to do, or do I need to create 4 more services -
service corey210
protocol TCP
port 210
ip address X.X .126.180
service corey2100
etc...
and add them to group coreyNAT as well?
Q2.... So that existing live servers on the .126 subnet don't NAT to .132 when initiating connections, and corey doesn't NAT to .132 for connections initiated to internal servers, do I add this -
acl 1
clause 99 permit any any destination any
apply circuit-VLAN1 (this is the outside connection)
acl 26
clause 10 permit any X.X .126.180 255.255.255.255 destination X.X.0.0 0.0.255.255
clause 20 permit any X.X .126.180 255.255.255.255 destination any sourcegroup coreyNAT
clause 99 permit any any destination any
apply circuit-VLAN126 (this is the inside connection to the server corey)
acl 27
clause 99 permit any any destination any
apply circuit-VLAN127 (this is another inside connection)
acl enable
Regards
KeithR
Solved! Go to Solution.
06-29-2007 07:26 AM
Keith,
if you configure the 'add service' under the group, the CSS will always nat traffic from that particular service.
If you want to only nat under certain condition, do not speficy and 'add service' and simly use an ACL to determine when to use the sourcegroup as you showed.
You don't need to create a service for each port the server needs to reach.
Gilles.
06-29-2007 07:26 AM
Keith,
if you configure the 'add service' under the group, the CSS will always nat traffic from that particular service.
If you want to only nat under certain condition, do not speficy and 'add service' and simly use an ACL to determine when to use the sourcegroup as you showed.
You don't need to create a service for each port the server needs to reach.
Gilles.
06-29-2007 08:21 AM
Thanks for the swift response, Gilles.
I'll try not to bother you again for a while!
Regards
KeithR
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide